Hi there, Today we upgraded to the latest IPA 4.5, log says it upgraded just fine, ipa seems to authenticate allright, but web ui fails with:
Operations ErrorSome operations failed.an internal error has occurred And the details it shows when I press the OK button are:
Runtime error
Web UI got in unrecoverable state during "profile" phase. Technical details: t.metadata is undefined update_logged_in@https://ipaserver.fisica.cabib/ipa/ui/ js/freeipa/app.js?40500:1:18156 choose_profile@https:// ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651 register_phases/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651register_phases/ <@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181 _run_phase/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181_run_phase/ <@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3476 forEach@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/ dojo.js?v=40500:1:29752 _run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/ freeipa/app.js?40500:1:3440 next_phase@https://ipaserver. fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899_run_phase/ <@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 d/t.then@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/ dojo.js?v=40500:1:62246 https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960d/t.then@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:62246 _run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/ freeipa/app.js?40500:1:3548 next_phase@https://ipaserver. fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899_run_phase/ <@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 l@ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886 d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/ js/dojo/dojo.js?v=40500:1:61873 dojo/promise/all/ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:61873dojo/promise/all/ </</</<@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1: 85255 c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js? v=40500:1:60960 l@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886 d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/ js/dojo/dojo.js?v=40500:1:61873 register_phases/ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:61873register_phases/ </<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1092 on_success@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431freeipa/rpc/ </a.concurrent_command/t.on_success_all@https://ipaserver.fisica.cabib/ipa/ ui/js/freeipa/app.js?40500:1:57160 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:57160freeipa/rpc/ </a.concurrent_command/t.command_completed@https://ipaserver.fisica.cabib/ ipa/ui/js/freeipa/app.js?40500:1:56953 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56953freeipa/rpc/ </a.concurrent_command/t.success_handler@https://ipaserver.fisica.cabib/ ipa/ui/js/freeipa/app.js?40500:1:56790 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56790freeipa/rpc/ </a.concurrent_command/t.execute/n.on_success</<@https://ipaserver. fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340freeipa/rpc/ </a.command/l.register_handlers/<@https://ipaserver.fisica.cabib/ipa/ui/ js/freeipa/app.js?40500:1:53786 f@https://ipaserver.fisica. cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586 dojo/on/ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586dojo/on/ </i.emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192 dojo/on/ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192dojo/on/ </i.emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1: 45808 emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js? v=40500:1:48712 c@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app. js?40500:1:52429 l@https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery. js?v=40500:4:24877 fireWith@https://ipaserver.fisica.cabib/ipa/ui/js/libs/ jquery.js?v=40500:4:25702 k@https://ipaserver.fisica. cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346 t/ https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346t/<@ https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:9152
Apache error logs shows:
[Mon Aug 07 11:04:32.078630 2017] [:warn] [pid 11845] [client ##.##.##.##:45938] failed to set perms (3140) on file (/var/run/ipa/ccaches/tavo@FISICA.CABIB)!, referer: https://ipaserver.fisica.cabib/ipa/ui/ [Mon Aug 07 11:04:32.079589 2017] [:error] [pid 11839] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Aug 07 11:04:32.079709 2017] [:error] [pid 11839] ipa: DEBUG: WSGI jsonserver_session.__call__: [Mon Aug 07 11:04:32.160389 2017] [:error] [pid 11839] ipa: DEBUG: Created connection context.ldap2_94603036533520 [Mon Aug 07 11:04:32.160485 2017] [:error] [pid 11839] ipa: DEBUG: WSGI jsonserver.__call__: [Mon Aug 07 11:04:32.160577 2017] [:error] [pid 11839] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Mon Aug 07 11:04:32.170494 2017] [:error] [pid 11839] ipa: DEBUG: raw: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228') [Mon Aug 07 11:04:32.170764 2017] [:error] [pid 11839] ipa: DEBUG: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228') [Mon Aug 07 11:04:32.171033 2017] [:error] [pid 11839] ipa: DEBUG: raw: i18n_messages(version=u'2.228') [Mon Aug 07 11:04:32.171215 2017] [:error] [pid 11839] ipa: DEBUG: i18n_messages(version=u'2.228') [Mon Aug 07 11:04:32.178630 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: i18n_messages(): SUCCESS [Mon Aug 07 11:04:32.178857 2017] [:error] [pid 11839] ipa: DEBUG: raw: config_show(version=u'2.228') [Mon Aug 07 11:04:32.179094 2017] [:error] [pid 11839] ipa: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.181775 2017] [:error] [pid 11839] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x560a7e36a0e0> [Mon Aug 07 11:04:32.548227 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: config_show(): SUCCESS [Mon Aug 07 11:04:32.548454 2017] [:error] [pid 11839] ipa: DEBUG: raw: whoami(version=u'2.228') [Mon Aug 07 11:04:32.548625 2017] [:error] [pid 11839] ipa: DEBUG: whoami(version=u'2.228') [Mon Aug 07 11:04:32.549205 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: whoami(): PROTOCOL_ERROR [Mon Aug 07 11:04:32.549456 2017] [:error] [pid 11839] ipa: DEBUG: raw: env(None, version=u'2.228') [Mon Aug 07 11:04:32.549700 2017] [:error] [pid 11839] ipa: DEBUG: env(None, server=False, all=True, version=u'2.228') [Mon Aug 07 11:04:32.550139 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: env(None): SUCCESS [Mon Aug 07 11:04:32.550350 2017] [:error] [pid 11839] ipa: DEBUG: raw: dns_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.550520 2017] [:error] [pid 11839] ipa: DEBUG: dns_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.552209 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: dns_is_enabled(): SUCCESS [Mon Aug 07 11:04:32.552435 2017] [:error] [pid 11839] ipa: DEBUG: raw: trustconfig_show(version=u'2.228') [Mon Aug 07 11:04:32.552742 2017] [:error] [pid 11839] ipa: DEBUG: trustconfig_show(rights=False, trust_type=u'ad', all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.558903 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: trustconfig_show(): SUCCESS [Mon Aug 07 11:04:32.559101 2017] [:error] [pid 11839] ipa: DEBUG: raw: domainlevel_get(version=u'2.228') [Mon Aug 07 11:04:32.559292 2017] [:error] [pid 11839] ipa: DEBUG: domainlevel_get(version=u'2.228') [Mon Aug 07 11:04:32.560543 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: domainlevel_get(): SUCCESS [Mon Aug 07 11:04:32.560753 2017] [:error] [pid 11839] ipa: DEBUG: raw: ca_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.560924 2017] [:error] [pid 11839] ipa: DEBUG: ca_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.562484 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: ca_is_enabled(): SUCCESS [Mon Aug 07 11:04:32.562694 2017] [:error] [pid 11839] ipa: DEBUG: raw: vaultconfig_show(version=u'2.228') [Mon Aug 07 11:04:32.562880 2017] [:error] [pid 11839] ipa: DEBUG: vaultconfig_show(all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.563089 2017] [:error] [pid 11839] ipa: DEBUG: raw: kra_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.563209 2017] [:error] [pid 11839] ipa: DEBUG: kra_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.564192 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: vaultconfig_show(): InvocationError [Mon Aug 07 11:04:32.564462 2017] [:error] [pid 11839] ipa: INFO: [jsonserver_session] tavo@FISICA.CABIB: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228'): SUCCESS [Mon Aug 07 11:04:32.567156 2017] [:error] [pid 11839] ipa: DEBUG: Destroyed connection context.ldap2_94603036533520
From the first line of apache log the file it refers to has this attributes:
stat /var/run/ipa/ccaches/tavo@FISICA.CABIB File: ‘/var/run/ipa/ccaches/tavo@FISICA.CABIB’ Size: 4596 Blocks: 16 IO Block: 4096 regular file Device: 12h/18d Inode: 37651 Links: 1 Access: (0600/-rw-------) Uid: ( 989/ ipaapi) Gid: ( 985/ ipaapi) Context: system_u:object_r:ipa_var_run_t:s0 Access: 2017-08-07 11:09:56.260676960 -0300 Modify: 2017-08-07 09:58:09.367597633 -0300 Change: 2017-08-07 09:58:09.367597633 -0300 Birth: -
This are the ipa packages I have: rpm -qa | grep ipa python2-ipaclient-4.5.0-21.el7.noarch python-iniparse-0.4-9.el7.noarch sssd-ipa-1.15.2-50.el7.x86_64 ipa-client-4.5.0-21.el7.x86_64 python2-ipaserver-4.5.0-21.el7.noarch python-libipa_hbac-1.15.2-50.el7.x86_64 ipa-common-4.5.0-21.el7.noarch ipa-server-4.5.0-21.el7.x86_64 ipa-server-common-4.5.0-21.el7.noarch ipa-server-dns-4.5.0-21.el7.noarch python-ipaddress-1.0.16-2.el7.noarch ipa-python-compat-4.5.0-21.el7.noarch ipa-client-common-4.5.0-21.el7.noarch libipa_hbac-1.15.2-50.el7.x86_64 python2-ipalib-4.5.0-21.el7.noarch
Any ideas?
Thanks!
Hello Gustavo,
On 08/07/2017 04:20 PM, Gustavo Berman via FreeIPA-users wrote:
Hi there, Today we upgraded to the latest IPA 4.5, log says it upgraded just fine, ipa seems to authenticate allright, but web ui fails with:
Operations Error Some operations failed. an internal error has occurred
And the details it shows when I press the OK button are:
Runtime error
Web UI got in unrecoverable state during "profile" phase.
Technical details:
t.metadata is undefined |update_logged_in@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:18156 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:18156 choose_profile@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651 register_phases/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:16651register_phases/<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181 _run_phase/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1181_run_phase/<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3476 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3476 forEach@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:29752 https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:29752 _run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3440 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3440 next_phase@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899_run_phase/<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 d/t.then@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:62246 https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960d/t.then@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:62246 _run_phase@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3548 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3548 next_phase@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899 _run_phase/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3899_run_phase/<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:3626 c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 l@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886 d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:61873 dojo/promise/all/ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:61873dojo/promise/all/</</</<@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:85255 https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:85255 c@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60960 l@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886 d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:61873 register_phases/ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:60886d/this.resolve@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:61873register_phases/</<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1092 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:1092 on_success@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:34431freeipa/rpc/</a.concurrent_command/t.on_success_all@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:57160 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:57160freeipa/rpc/</a.concurrent_command/t.command_completed@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56953 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56953freeipa/rpc/</a.concurrent_command/t.success_handler@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56790 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56790freeipa/rpc/</a.concurrent_command/t.execute/n.on_success</<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340 freeipa/rpc/ https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:56340freeipa/rpc/</a.command/l.register_handlers/<@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:53786 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:53786 f@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586 dojo/on/ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:49586dojo/on/</i.emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192 dojo/on/ https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45192dojo/on/</i.emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45808 https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:45808 emit@https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:48712 https://ipaserver.fisica.cabib/ipa/ui/js/dojo/dojo.js?v=40500:1:48712 c@https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:52429 https://ipaserver.fisica.cabib/ipa/ui/js/freeipa/app.js?40500:1:52429 l@https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:4:24877 https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:4:24877 fireWith@https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:4:25702 https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:4:25702 k@https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346 t/ https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:5346t/<@https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:9152 https://ipaserver.fisica.cabib/ipa/ui/js/libs/jquery.js?v=40500:6:9152 |
Apache error logs shows:
[Mon Aug 07 11:04:32.078630 2017] [:warn] [pid 11845] [client ##.##.##.##:45938] failed to set perms (3140) on file (/var/run/ipa/ccaches/tavo@FISICA.CABIB)!, referer: https://ipaserver.fisica.cabib/ipa/ui/ https://ipaserver.fisica.cabib/ipa/ui/ [Mon Aug 07 11:04:32.079589 2017] [:error] [pid 11839] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Aug 07 11:04:32.079709 2017] [:error] [pid 11839] ipa: DEBUG: WSGI jsonserver_session.__call__: [Mon Aug 07 11:04:32.160389 2017] [:error] [pid 11839] ipa: DEBUG: Created connection context.ldap2_94603036533520 [Mon Aug 07 11:04:32.160485 2017] [:error] [pid 11839] ipa: DEBUG: WSGI jsonserver.__call__: [Mon Aug 07 11:04:32.160577 2017] [:error] [pid 11839] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Mon Aug 07 11:04:32.170494 2017] [:error] [pid 11839] ipa: DEBUG: raw: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228') [Mon Aug 07 11:04:32.170764 2017] [:error] [pid 11839] ipa: DEBUG: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228') [Mon Aug 07 11:04:32.171033 2017] [:error] [pid 11839] ipa: DEBUG: raw: i18n_messages(version=u'2.228') [Mon Aug 07 11:04:32.171215 2017] [:error] [pid 11839] ipa: DEBUG: i18n_messages(version=u'2.228') [Mon Aug 07 11:04:32.178630 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: i18n_messages(): SUCCESS [Mon Aug 07 11:04:32.178857 2017] [:error] [pid 11839] ipa: DEBUG: raw: config_show(version=u'2.228') [Mon Aug 07 11:04:32.179094 2017] [:error] [pid 11839] ipa: DEBUG: config_show(rights=False, all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.181775 2017] [:error] [pid 11839] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x560a7e36a0e0> [Mon Aug 07 11:04:32.548227 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: config_show(): SUCCESS [Mon Aug 07 11:04:32.548454 2017] [:error] [pid 11839] ipa: DEBUG: raw: whoami(version=u'2.228') [Mon Aug 07 11:04:32.548625 2017] [:error] [pid 11839] ipa: DEBUG: whoami(version=u'2.228') [Mon Aug 07 11:04:32.549205 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: whoami(): PROTOCOL_ERROR [Mon Aug 07 11:04:32.549456 2017] [:error] [pid 11839] ipa: DEBUG: raw: env(None, version=u'2.228') [Mon Aug 07 11:04:32.549700 2017] [:error] [pid 11839] ipa: DEBUG: env(None, server=False, all=True, version=u'2.228') [Mon Aug 07 11:04:32.550139 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: env(None): SUCCESS [Mon Aug 07 11:04:32.550350 2017] [:error] [pid 11839] ipa: DEBUG: raw: dns_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.550520 2017] [:error] [pid 11839] ipa: DEBUG: dns_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.552209 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: dns_is_enabled(): SUCCESS [Mon Aug 07 11:04:32.552435 2017] [:error] [pid 11839] ipa: DEBUG: raw: trustconfig_show(version=u'2.228') [Mon Aug 07 11:04:32.552742 2017] [:error] [pid 11839] ipa: DEBUG: trustconfig_show(rights=False, trust_type=u'ad', all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.558903 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: trustconfig_show(): SUCCESS [Mon Aug 07 11:04:32.559101 2017] [:error] [pid 11839] ipa: DEBUG: raw: domainlevel_get(version=u'2.228') [Mon Aug 07 11:04:32.559292 2017] [:error] [pid 11839] ipa: DEBUG: domainlevel_get(version=u'2.228') [Mon Aug 07 11:04:32.560543 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: domainlevel_get(): SUCCESS [Mon Aug 07 11:04:32.560753 2017] [:error] [pid 11839] ipa: DEBUG: raw: ca_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.560924 2017] [:error] [pid 11839] ipa: DEBUG: ca_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.562484 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: ca_is_enabled(): SUCCESS [Mon Aug 07 11:04:32.562694 2017] [:error] [pid 11839] ipa: DEBUG: raw: vaultconfig_show(version=u'2.228') [Mon Aug 07 11:04:32.562880 2017] [:error] [pid 11839] ipa: DEBUG: vaultconfig_show(all=False, raw=False, version=u'2.228') [Mon Aug 07 11:04:32.563089 2017] [:error] [pid 11839] ipa: DEBUG: raw: kra_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.563209 2017] [:error] [pid 11839] ipa: DEBUG: kra_is_enabled(version=u'2.228') [Mon Aug 07 11:04:32.564192 2017] [:error] [pid 11839] ipa: INFO: tavo@FISICA.CABIB: batch: vaultconfig_show(): InvocationError [Mon Aug 07 11:04:32.564462 2017] [:error] [pid 11839] ipa: INFO: [jsonserver_session] tavo@FISICA.CABIB: batch(({u'params': ([], {}), u'method': u'i18n_messages'}, {u'params': ([], {}), u'method': u'config_show'}, {u'params': ([], {}), u'method': u'whoami'}, {u'params': ([], {}), u'method': u'env'}, {u'params': ([], {}), u'method': u'dns_is_enabled'}, {u'params': ([], {}), u'method': u'trustconfig_show'}, {u'params': ([], {}), u'method': u'domainlevel_get'}, {u'params': ([], {}), u'method': u'ca_is_enabled'}, {u'params': ([], {}), u'method': u'vaultconfig_show'}), version=u'2.228'): SUCCESS [Mon Aug 07 11:04:32.567156 2017] [:error] [pid 11839] ipa: DEBUG: Destroyed connection context.ldap2_94603036533520
From the first line of apache log the file it refers to has this attributes:
stat /var/run/ipa/ccaches/tavo@FISICA.CABIB File: ‘/var/run/ipa/ccaches/tavo@FISICA.CABIB’ Size: 4596 Blocks: 16 IO Block: 4096 regular file Device: 12h/18d Inode: 37651 Links: 1 Access: (0600/-rw-------) Uid: ( 989/ ipaapi) Gid: ( 985/ ipaapi) Context: system_u:object_r:ipa_var_run_t:s0 Access: 2017-08-07 11:09:56.260676960 -0300 Modify: 2017-08-07 09:58:09.367597633 -0300 Change: 2017-08-07 09:58:09.367597633 -0300 Birth: -
First line from log from httpd/error log is not an error. It is a normal output.
This are the ipa packages I have: rpm -qa | grep ipa python2-ipaclient-4.5.0-21.el7.noarch python-iniparse-0.4-9.el7.noarch sssd-ipa-1.15.2-50.el7.x86_64 ipa-client-4.5.0-21.el7.x86_64 python2-ipaserver-4.5.0-21.el7.noarch python-libipa_hbac-1.15.2-50.el7.x86_64 ipa-common-4.5.0-21.el7.noarch ipa-server-4.5.0-21.el7.x86_64 ipa-server-common-4.5.0-21.el7.noarch ipa-server-dns-4.5.0-21.el7.noarch python-ipaddress-1.0.16-2.el7.noarch ipa-python-compat-4.5.0-21.el7.noarch ipa-client-common-4.5.0-21.el7.noarch libipa_hbac-1.15.2-50.el7.x86_64 python2-ipalib-4.5.0-21.el7.noarch
Any ideas?
From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whether all services running? Please run # ipactl status
and post the output.
And please could you send me the /etc/named.conf? Especially everything after dyndb "ipa" line is interesting for us.
Thanks!
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hello Pavel
On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka pvomacka@redhat.com wrote:
Hello Gustavo, From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whether all services running? Please run # ipactl status
and post the output.
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
And please could you send me the /etc/named.conf? Especially everything after dyndb "ipa" line is interesting for us.
This is from /etc/named.conf
options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt";
forward only; forwarders { 10.73.2.100; 10.73.2.102; 10.73.2.101; };
// Any host is permitted to issue recursive queries allow-recursion { any; };
tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; };
/* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones";
dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; base "cn=dns, dc=fisica,dc=cabib"; fake_mname "ipaserver.fisica.cabib."; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/ipaserver.fisica.cabib"; server_id "ipaserver.fisica.cabib"; }; include "/etc/named.root.key";
key "rndc-key" { algorithm hmac-md5; secret "#########################"; };
On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
Hello Pavel
On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvomacka@redhat.com mailto:pvomacka@redhat.com> wrote:
Hello Gustavo, From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whether all services running? Please run # ipactl status and post the output.
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
And please could you send me the /etc/named.conf? Especially everything after dyndb "ipa" line is interesting for us.
This is from /etc/named.conf
options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;};
// Put files that named is allowed to write in the data/
directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt";
forward only; forwarders { 10.73.2.100; 10.73.2.102; 10.73.2.101; }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
- By default, SELinux policy does not allow named to modify the
/var/named directory,
- so put the default debug log file in data/ :
*/ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; };
zone "." IN { type hint; file "named.ca http://named.ca"; };
include "/etc/named.rfc1912.zones";
dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; base "cn=dns, dc=fisica,dc=cabib"; fake_mname "ipaserver.fisica.cabib."; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/ipaserver.fisica.cabib"; server_id "ipaserver.fisica.cabib"; }; include "/etc/named.root.key";
key "rndc-key" { algorithm hmac-md5; secret "#########################"; };
Thank you for the configuration. It looks good.
Another thing that might be incorrect is that the whoami plugin is not loaded. Please check whether you have following line: dn: cn=whoami,cn=plugins,cn=config
in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif
If not please add there following lines (between double quotes and without them):
" dn: cn=whoami,cn=plugins,cn=config cn: whoami nsslapd-plugin-depends-on-type: database nsslapd-pluginDescription: whoami extended operation plugin nsslapd-pluginEnabled: on nsslapd-pluginId: whoami-plugin nsslapd-pluginInitfunc: whoami_init nsslapd-pluginPath: libwhoami-plugin nsslapd-pluginType: extendedop nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.3.5.18 objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject "
and change the nsslapd-pluginVersion value to the same as other plugins have.
Then you will probably need to restart ipa service or at least dirsrv.
Did that help?
Could you please tell us more about upgrade? Especially from which version did you upgrade to 4.5 and which OS do you use? Which version of IPA did you have when you started using IPA?
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Pavel, Thanks for the help, that solved the problem. Now I can access the web ui. The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package updates):
ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 35 | update | 2017-08-07 09:07 | E, I, O, U | 470 EE
Acording to yum history info, this are the ipa packages that where updated: Obsoleted ipa-admintools-4.4.0-14.el7_3.7.noarch @rhel7 Updated ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7 Obsoleting ipa-client-4.5.0-21.el7.x86_64 @rhel7 Updated ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7 Update 4.5.0-21.el7.x86_64 @rhel7 Updated ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipalib-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7
Again, thanks for the help! Kind regards
On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka pvomacka@redhat.com wrote:
On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
Hello Pavel
On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka pvomacka@redhat.com wrote:
Hello Gustavo, From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whether all services running? Please run # ipactl status
and post the output.
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
And please could you send me the /etc/named.conf? Especially everything after dyndb "ipa" line is interesting for us.
This is from /etc/named.conf
options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; forward only; forwarders { 10.73.2.100; 10.73.2.102; 10.73.2.101; }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
- By default, SELinux policy does not allow named to modify the
/var/named directory,
- so put the default debug log file in data/ :
*/ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones";
dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; base "cn=dns, dc=fisica,dc=cabib"; fake_mname "ipaserver.fisica.cabib."; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/ipaserver.fisica.cabib"; server_id "ipaserver.fisica.cabib"; }; include "/etc/named.root.key";
key "rndc-key" { algorithm hmac-md5; secret "#########################"; };
Thank you for the configuration. It looks good.
Another thing that might be incorrect is that the whoami plugin is not loaded. Please check whether you have following line: dn: cn=whoami,cn=plugins,cn=config
in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif
If not please add there following lines (between double quotes and without them):
" dn: cn=whoami,cn=plugins,cn=config cn: whoami nsslapd-plugin-depends-on-type: database nsslapd-pluginDescription: whoami extended operation plugin nsslapd-pluginEnabled: on nsslapd-pluginId: whoami-plugin nsslapd-pluginInitfunc: whoami_init nsslapd-pluginPath: libwhoami-plugin nsslapd-pluginType: extendedop nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.3.5.18 objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject "
and change the nsslapd-pluginVersion value to the same as other plugins have.
Then you will probably need to restart ipa service or at least dirsrv.
Did that help?
Could you please tell us more about upgrade? Especially from which version did you upgrade to 4.5 and which OS do you use? Which version of IPA did you have when you started using IPA?
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Pavel^3 Vomacka
On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote:
Pavel, Thanks for the help, that solved the problem. Now I can access the web ui.
I'm glad that it works again.
The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package updates):
Thank you for info. I have one additional question: What was the first y-version of RHEL 7 you used?
ID | Command line | Date and time | Action(s) | Altered
35 | update | 2017-08-07 09:07 | E, I, O, U
| 470 EE
Acording to yum history info, this are the ipa packages that where updated: Obsoleted ipa-admintools-4.4.0-14.el7_3.7.noarch @rhel7 Updated ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7 Obsoleting ipa-client-4.5.0-21.el7.x86_64 @rhel7 Updated ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7 Update 4.5.0-21.el7.x86_64 @rhel7 Updated ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipalib-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7
Again, thanks for the help! Kind regards
On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka <pvomacka@redhat.com mailto:pvomacka@redhat.com> wrote:
On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
Hello Pavel On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvomacka@redhat.com <mailto:pvomacka@redhat.com>> wrote: Hello Gustavo, From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whether all services running? Please run # ipactl status and post the output. # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful And please could you send me the /etc/named.conf? Especially everything after dyndb "ipa" line is interesting for us. This is from /etc/named.conf options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;}; // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; forward only; forwarders { 10.73.2.100; 10.73.2.102; 10.73.2.101; }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; }; zone "." IN { type hint; file "named.ca <http://named.ca>"; }; include "/etc/named.rfc1912.zones"; dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; base "cn=dns, dc=fisica,dc=cabib"; fake_mname "ipaserver.fisica.cabib."; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/ipaserver.fisica.cabib"; server_id "ipaserver.fisica.cabib"; }; include "/etc/named.root.key"; key "rndc-key" { algorithm hmac-md5; secret "#########################"; };
Thank you for the configuration. It looks good. Another thing that might be incorrect is that the whoami plugin is not loaded. Please check whether you have following line: dn: cn=whoami,cn=plugins,cn=config in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif If not please add there following lines (between double quotes and without them): " dn: cn=whoami,cn=plugins,cn=config cn: whoami nsslapd-plugin-depends-on-type: database nsslapd-pluginDescription: whoami extended operation plugin nsslapd-pluginEnabled: on nsslapd-pluginId: whoami-plugin nsslapd-pluginInitfunc: whoami_init nsslapd-pluginPath: libwhoami-plugin nsslapd-pluginType: extendedop nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.3.5.18 objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject " and change the nsslapd-pluginVersion value to the same as other plugins have. Then you will probably need to restart ipa service or at least dirsrv. Did that help? Could you please tell us more about upgrade? Especially from which version did you upgrade to 4.5 and which OS do you use? Which version of IPA did you have when you started using IPA?
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA _______________________________________________ FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
-- Pavel^3 Vomacka
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Pavel, On this machine it says that the first install of rhel-release-server was 7.2-9 But the ipa information came from a centos 6.4 install some years ago with ipa 3.0 Later it was converted to rhel 7.0 and then upgraded through the years Hope that helps
On Wed, Aug 9, 2017 at 12:15 PM, Pavel Vomacka pvomacka@redhat.com wrote:
On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote:
Pavel, Thanks for the help, that solved the problem. Now I can access the web ui.
I'm glad that it works again.
The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package updates):
Thank you for info. I have one additional question: What was the first y-version of RHEL 7 you used?
ID | Command line | Date and time | Action(s) | Altered
35 | update | 2017-08-07 09:07 | E, I, O, U |
470 EE
Acording to yum history info, this are the ipa packages that where updated: Obsoleted ipa-admintools-4.4.0-14.el7_3. 7.noarch @rhel7 Updated ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7 Obsoleting ipa-client-4.5.0-21.el7.x86_64 @rhel7 Updated ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7 Update 4.5.0-21.el7.x86_64 @rhel7 Updated ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-dns-4.4.0-14.el7_3. 7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python-libipa_hbac-1.14.0-43. el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipalib-4.4.0-14.el7_3. 7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7
Again, thanks for the help! Kind regards
On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka pvomacka@redhat.com wrote:
On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
Hello Pavel
On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka pvomacka@redhat.com wrote:
Hello Gustavo, From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whether all services running? Please run # ipactl status
and post the output.
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
And please could you send me the /etc/named.conf? Especially everything after dyndb "ipa" line is interesting for us.
This is from /etc/named.conf
options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;};
// Put files that named is allowed to write in the data/
directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt";
forward only; forwarders { 10.73.2.100; 10.73.2.102; 10.73.2.101; }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
- By default, SELinux policy does not allow named to modify the
/var/named directory,
- so put the default debug log file in data/ :
*/ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones";
dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; base "cn=dns, dc=fisica,dc=cabib"; fake_mname "ipaserver.fisica.cabib."; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/ipaserver.fisica.cabib"; server_id "ipaserver.fisica.cabib"; }; include "/etc/named.root.key";
key "rndc-key" { algorithm hmac-md5; secret "#########################"; };
Thank you for the configuration. It looks good.
Another thing that might be incorrect is that the whoami plugin is not loaded. Please check whether you have following line: dn: cn=whoami,cn=plugins,cn=config
in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif
If not please add there following lines (between double quotes and without them):
" dn: cn=whoami,cn=plugins,cn=config cn: whoami nsslapd-plugin-depends-on-type: database nsslapd-pluginDescription: whoami extended operation plugin nsslapd-pluginEnabled: on nsslapd-pluginId: whoami-plugin nsslapd-pluginInitfunc: whoami_init nsslapd-pluginPath: libwhoami-plugin nsslapd-pluginType: extendedop nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.3.5.18 objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject "
and change the nsslapd-pluginVersion value to the same as other plugins have.
Then you will probably need to restart ipa service or at least dirsrv.
Did that help?
Could you please tell us more about upgrade? Especially from which version did you upgrade to 4.5 and which OS do you use? Which version of IPA did you have when you started using IPA?
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Pavel^3 Vomacka
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Pavel^3 Vomacka
Hi,
I just had the same issue as Gustavo with the webui after upgrading from 7.3 to 7.4, and came across this thread. Adding the whoami plugin to dse.ldif solved the issue.
Thanks.
Regards, Siggi
On 9 Aug 2017, at 17:15, Pavel Vomacka via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote:
Pavel, Thanks for the help, that solved the problem. Now I can access the web ui.
I'm glad that it works again.
The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package updates):
Thank you for info. I have one additional question: What was the first y-version of RHEL 7 you used?
ID | Command line | Date and time | Action(s) | Altered
35 | update | 2017-08-07 09:07 | E, I, O, U | 470 EE
Acording to yum history info, this are the ipa packages that where updated: Obsoleted ipa-admintools-4.4.0-14.el7_3.7.noarch @rhel7 Updated ipa-client-4.4.0-14.el7_3.7.x86_64 @rhel7 Obsoleting ipa-client-4.5.0-21.el7.x86_64 @rhel7 Updated ipa-client-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-python-compat-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-4.4.0-14.el7_3.7.x86_64 @rhel7 Update 4.5.0-21.el7.x86_64 @rhel7 Updated ipa-server-common-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated ipa-server-dns-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python-libipa_hbac-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7 Updated python2-ipaclient-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipalib-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated python2-ipaserver-4.4.0-14.el7_3.7.noarch @rhel7 Update 4.5.0-21.el7.noarch @rhel7 Updated sssd-ipa-1.14.0-43.el7_3.18.x86_64 @rhel7 Update 1.15.2-50.el7.x86_64 @rhel7
Again, thanks for the help! Kind regards
On Tue, Aug 8, 2017 at 5:51 AM, Pavel Vomacka <pvomacka@redhat.com mailto:pvomacka@redhat.com> wrote:
On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote:
Hello Pavel
On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka <pvomacka@redhat.com mailto:pvomacka@redhat.com> wrote:
Hello Gustavo,
From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whether all services running? Please run # ipactl status
and post the output.
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
And please could you send me the /etc/named.conf? Especially everything after dyndb "ipa" line is interesting for us.
This is from /etc/named.conf
options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;};
// Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; forward only; forwarders { 10.73.2.100; 10.73.2.102; 10.73.2.101; }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic";
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
- By default, SELinux policy does not allow named to modify the /var/named directory,
- so put the default debug log file in data/ :
*/ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; };
zone "." IN { type hint; file "named.ca http://named.ca/"; };
include "/etc/named.rfc1912.zones";
dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-FISICA-CABIB.socket"; base "cn=dns, dc=fisica,dc=cabib"; fake_mname "ipaserver.fisica.cabib."; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/ipaserver.fisica.cabib"; server_id "ipaserver.fisica.cabib"; }; include "/etc/named.root.key";
key "rndc-key" { algorithm hmac-md5; secret "#########################"; };
Thank you for the configuration. It looks good.
Another thing that might be incorrect is that the whoami plugin is not loaded. Please check whether you have following line: dn: cn=whoami,cn=plugins,cn=config
in the /etc/dirsrv/slapd-IPASERVER-FISICA-CABIB/dse.ldif
If not please add there following lines (between double quotes and without them):
" dn: cn=whoami,cn=plugins,cn=config cn: whoami nsslapd-plugin-depends-on-type: database nsslapd-pluginDescription: whoami extended operation plugin nsslapd-pluginEnabled: on nsslapd-pluginId: whoami-plugin nsslapd-pluginInitfunc: whoami_init nsslapd-pluginPath: libwhoami-plugin nsslapd-pluginType: extendedop nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.3.5.18 objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject "
and change the nsslapd-pluginVersion value to the same as other plugins have.
Then you will probably need to restart ipa service or at least dirsrv.
Did that help?
Could you please tell us more about upgrade? Especially from which version did you upgrade to 4.5 and which OS do you use? Which version of IPA did you have when you started using IPA?
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists..fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
-- Pavel^3 Vomacka
-- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
-- Pavel^3 Vomacka _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org